View
70
Download
0
Category
Preview:
Citation preview
1
TheSEC’sBrokenWindowsEnforcementPolicy:IsthereAnythingNewHere?
DenverG.Edwards
Summary: This article examines the Commission’s BrokenWindows enforcement program andwhether it
should change how compliance professionals think about carrying out their duties. Historically, the
Commissionhasbeenperceivedasmonitoringallareasofthesecuritiesmarkets.BrokenWindowsdoesnot
appear to be a significant shift. Instead, Broken Windows has intensified existing elements of the
Commission’s enforcement program. Compliance personnel need not overreact to the Commission
rebrandingas the toughcopon thebeat,but theyshouldremainvigilantofbusinesspracticeswithin their
organizations,leveragetechnologytomonitortheirorganization’scommercialactivities,andthinkcreatively
aboutwhereandhowviolationsmayoccur.
Intheearly1990s,ifyoudroveacarinNewYorkCityandwerelucky,mencarryingsqueegeessprayedwater
onyourwindshieldanddemandedatip. Ifyouwereunlucky,squeegeemen,astherewereknown,merely
spatonyourwindshield,wipeditoffwithadirtyrag,andthendemandedatip.Subwaycarswere“tagged”
withgraffitiandridersfeltunsafe.ProstitutionandpeepshowslitteredTimesSquare,andupthestreetin
BryantPark,thedrugtradeflourished.
FormerMayorRudyGiulianiandPoliceCommissionerBillBrattonadoptedapolicingstrategyin1994known
as“BrokenWindows” tocombat“qualityof lifecrimes.” Thetheory isthat“whenawindowisbrokenand
someonefixesit,itisasignthatdisorderwillnotbetolerated.But,whenawindowis notfixed,itisasignal
that no one cares, and so breaking more windows cost nothing.” Broken Windows aimed to avoid an
environmentofdisorderthatwouldencouragemoreseriouscrimestoflourishandtosendamessageoflaw
andorder.Noinfractionwastoosmalltobeuncoveredandpunished.
NewYork ismarkedlybetter today than itwas in1994. Thesqueegee-menhavebeenbanished. Subway
carsare cleanandsafedayornight. TimesSquare is home to “GoodMorningAmerica,” andBryantPark
hosts NewYorkFashionWeekinthefallandmoviescreeningsinthesummer.
SecuritiesandExchangeChairwoman,MaryJoWhite,wastheUnitedStatesAttorneyfortheSouthernDistrict
ofNewYorkfrom1993through2002,andshewitnessedNewYork’stransformationunderBrokenWindows.
ChairWhitehassoughttoadapttheBrokenWindowsapproachtoregulationofthesecuritiesmarket.
In speechonOctober9,2013,ChairWhite said that theCommission’senforcementprogram intends tobe
perceived as being “everywhere, pursuing all types of violation of federal securities law, big and small.”
“Even the smallest infractions have victims, and the smallest infractions are very often just the first step
towardbiggerones,”which“canfosteraculturewherelaws areincreasinglytreatedastoothlessguidelines.”
TheCommissionwillbea strongcopon thebeatand theDivisionofEnforcementwillpursuenot just the
biggest frauds, but also violations such as control failures, negligence based offenses and strict liability
offenseswhereintentisnotrequired.
TheBrokenWindowsEnforcementProgram
TheBrokenWindowsenforcementprogramiscomprisedoffiveelements:
Streamline collaboration with the Department of Justice, Financial Industry Regulatory Authority
(FINRA),andstatesecuritiesregulators;
Targetgatekeepers;
2
LeveragetheOfficeofComplianceInspectionsandExaminations(OCIE)tounderstandandmonitor
thelatestrisksandtoprovideeffectiveoversight;
Incentivizewhistleblowerstoreportwrongdoing;and
Marshaltechnologytoanalyzedataefficiently.
Eachof the first four elementshasbeen a constant featureof theCommission’s enforcement regime. The
CommissionroutinelyworkswiththeDepartmentofJusticetoconductparallelinvestigations,asevidenced
by recent insider trading investigations. Similarly, the Commission works with SROs, such as FINRA, to
conduct “sweeps” to target industry-widebehaviors thataredetrimental to investorsandcould jeopardize
the integrity of the financial markets. The Commission collaborates with the North American Securities
Administrators Association and state securities regulators to get intelligence on developments in state
securitiesmarketssothatitcantargetissuesbeforetheybecomesystemicproblems.
TheCommissionhasincreasinglytargeted“gatekeepers,”includingattorneysandaccountantssincepassage
oftheSarbanes-OxleyAct(SOX), andmorerecently ithastargetedbroker-dealerswhoviolatethemarket
accessrule.
OCIE has been the Commission’s “boots on the ground” to monitor risks posed by registrants since its
creationinMay1995.OCIEhasbeenasourceofreferralsfortheDivisionofEnforcementsinceitsinception.
Akeydifference today,however, is thatOCIEexaminers specialize indiscreteareasandareable tobetter
understandthebusinessestheyareexamining,andtheDivisionofEnforcementnowvaluesinvestigatingand
bringingnon-fraudenforcementactionsasitdoesbringinginsidertradingcases.
TheCommission’swhistleblowerbountyprogramhasbeeneffectivesinceenactmentoftheInsiderTrading
andSecuritiesEnforcementActof1988,whichmandatedpayments for tipsreporting insider trading. The
Dodd-Frank Wall Street and Consumer Protection Act (Dodd-Frank) provides a 10% - 30% bounty for
reporting violations of the securities laws in SEC or CFTC enforcement actions that result in monetary
sanctionsgreaterthan$1million.
TheCommission’sinvestmentintechnologyisthenewfeatureofitsenforcementprogramandmayhavethe
mostsignificantimpactonbroker-dealercompliancefunctions.TheCommissioncreatedtheCenterforRisk
and Quantitative Analytics (CRQA) with a mandate to develop quantitative methods to monitor signs of
potential wrongdoingandhighriskbehaviors.CRQAwillfeeditsfindingstotheDivisionofEnforcementto
investigate and prevent conduct that harm investors. The Commission has also developed the Advanced
BluesheetAnalysisProgramtoanalyzerelationshipamongmarketparticipantstoidentifysuspicioustrading
whichmay not be readily apparent. It also uses predictive analyses to spot trends, identify aberrational
performance, and analyze data from new data sources, such as Form PF. On the examination side, the
National Examination Analytics Tool (NEAT) enables the examiners to analyze millions of transaction
documents accurately within a short time, and enables OCIE to do more precise and sophisticated
examination.
Moreinformationaboutthelong-termeffectivenessoftheCommission’sanalyticstoolsisneeded.Basedon
recent releases from the Commission, the tools are working as intended, and have increased the
Commission’sabilitytodevisesophisticatedsurveillancesofbroker-dealeractivities.Forexample,theStaff
conducts linkanalyses,which looks forrelationshipbetweentwodisparatedatasources, in insider trading
cases. Linkanalysishasbeenusedtoanalyzephonerecordsandtradingdatatodetermineif twosuspects
hadaphonecallwiththe sameperson.Inanotherexample,theStaffhasusedlinkanalysistoanalyzelarge
volumesofbrokeragefirmdatatoidentifyinstanceswhenacorporationallegedlypurchasedandsolditsown
stock, with no significant gain or loss, to create fictitiously high trading volume in order to obtain bank
financing. The Staff has also used analytics to detect aberrational performance of a hedge fund that
3
fraudulentlyclaimeditperformedbetterthanitspeersthroughoutgoodandbadmarkets. Theseanalyses
usetotaketheStaffweeksormonthstoperformandweresubjecttohumanerror.Today,theseanalysescan
becompletedwithindays.AsaresultoftheCommission’szero-tolerancefortechnicalviolationsorcontrol
failures,andtheirwillingnesstobringenforcementactionsfornon-fraudcases,complianceofficerswillneed
torethinkhowtheyfulfilltheirrolestoprotecttheirinstitutions.
BrokenWindowsPresentsOpportunitiesforCompliance
BrokenWindowspresents twopotentialopportunities forcompliance: (1)achance formoreassertiveness
with businessunits in instituting rigorous controls and testing those controlsmore frequently; and (2) an
openingtonegotiateformoreresourcestorespondtotheregulatoryenvironmentandgreatercooperation
fromotherareasofthefirm.
Broker-dealers are required by statute/regulations to have written supervisory policies and procedures
(WSPs)regardingtheiractivities.Complianceisapartnertoafirm’sbusinessunits.However,thegoalofthe
firmistomakemoneyforclients,shareholdersandemployees,andonerousandoverlyrestrictiveWSPsmay
beperceivedas limiting legitimatecommercialactivities forwhichbuy-in frombusinessunits isnecessary.
Broken Windows presents an opportunity to tighten existing WSPs to limit supervisory gaps, require
increasedcooperationbetweencompliancepersonneland linesupervisors,offermore trainingoncodesof
conductandethicsforemployeesandmanagement,andobtainmorecertificationsorattestationsregardinga
supervisor’sfulfillinghisorhersupervisoryobligation.
Moreover,BrokenWindowpoliciesmayhelpcomplianceobtainmoreresourcesandorganizationalsupport.
Currently,complianceinitiativesarebalancedagainstinterestsofthefirm,includingforexample,technology
and operations projects that drive the firm’s commercial success. Compliance can cite penalties/fines as
evidenceoftheCommission’saggressiveapproachtodemonstratethatlackofresources,includingpersonnel
or proper technology, create enterprise-wide legal, regulatory, and reputational risks that may have far-
reaching consequences for clients, counterparties, shareholders, and may cause personal liability to
supervisorsandmanagement.
TheintensityaroundtheBrokenWindowsenforcementpolicyarmscompliancewithtoolstomakethecase
toemployees to reportviolations to compliance in order for theorganization toavoid regulatory scrutiny,
fines,andpenalties. Compliancemustbalanceencouragingemployees toreportviolations internallywhile
not undermining the employee’s right (and perhaps the Commission’s expectation) to report securities
violations externally. As a starting point, compliance could appeal to the shared responsibility of each
employee to root out bad actors that violate the securities laws, jeopardize investors, and threaten the
integrity of the market. It could also promote methods within the organization to facilitate reporting
violations,suchastoll-freehotlines,anombudsmanposition,anonymouse-mailwebsitestoaccepttips,and
drop-boxestosubmittipsregardingviolations.
Without suggesting employees shouldnot report externally, compliance couldpoint out to employees that
reportingoutside(1)doesnotguaranteeanawardduetothehighthreshold(voluntarilyprovidingoriginal
informationand$1millionsanction),and(2)mayhaveanimpactontheorganization.Forexample,infiscal
year 2014, the Commission received 3620 tips ofwhich 139 (3.8%) received the designation of Notice of
CoveredAction(“NoCA”)andthereforeeligibleforanaward.SincetheinceptionoftheprograminAugust
2011, only 5.6% of tips (570 out of 10,193) have received the NoCA designation. The impact of non-
qualifying tips includebusinessdisruption, lostproductivity,costs toretain legalcounsel todefendagainst
regulatory investigations, and potential damage the firm’s reputation, and client or counterparty
relationships. Compliance should reiterate to employees that external reporting remains an option if the
4
employeereportsaviolationinternallytoadesignatedpersonandtheviolationisnotaddressedtimely.This
approachbalances the firm’sgoalofoperating inanefficient, ethicalandcommerciallyreasonablemanner
withtheCommission’sinterestinprotectinginvestorsandthemarket.
ConsiderationsforComplianceProfessionals
Compliance personnel who actively work with a business unit to implement WSPs risks being labeled a
supervisor and may be subject to liability for aiding and abetting or failure to supervise. Compliance
personnelmayminimize the risk of being labeled a supervisor by establishing in meetingswith business
supervisors that although he or she is an integral part of the business unit’s operations, the business
supervisor is thedesignatedsupervisor. Compliancepersonnelmustdocument thesupervisoryreviewsof
thebusinessthatthesupervisorisresponsibleforoverseeing,andshouldperiodicallyobtaincertificationsor
attestations from supervisors indicating that she or he understands his or her supervisory role and is
undertaking his or her supervisory obligations. More generally, compliance should ensure that the firm’s
supervisory manual states that compliance personnel are solely responsible for activities within the
compliancedepartment.
Compliance personnel should have a predetermined process to investigate, track and document red flags.
Theymust act decisivelywhen red flags surfaceor if red flags arebrought to their attention. Compliance
personnel should document each red flag,which business supervisorswill address the red flag, andwhat
corrective action will be taken. Compliance personnel must take reasonable steps to follow up with the
businesssupervisortoensuretheissuehasbeenresolvedandthenmustmonitortheissuetoensureitdoes
notrecur.Compliancepersonnelshouldalsoshareinformationwithfirmmanagement(particularlyifared
flaginvolvesaseniormanager),andshouldbeprepared,andhaveaprocessinplace,toescalatemattersto
theBoardofDirectorsifmanagementfailstotakecorrectiveaction.
Membershiponfirmcommitteesisalsoanareaofconcernforcompliancepersonnel.AsevidencedinInthe
MatterofTheodoreUrban,membershiponcertainfirmcommittees maycausetheCommissiontodetermine
thatcompliancepersonnelwho,asamemberofacommittee,learncriticalinformationaboutaviolationhave
adutytoensurethatcorrectiveactionistaken.TheCommission’sapproachexposescompliancepersonnelto
personalliabilitythatcouldpotentiallyjeopardizecareersand,asaresult,maycausequalifiedcandidatesto
avoidcomplianceroles.
TheCommission’suseofdataanalytics toolshas increasedthepressureoncompliancepersonnel to ferret
outfraud, technicalviolations,andcontrolfailures.Oneapproachistoconductsurveillancessimilartothose
performed by the SEC’s analytics teams. Some reliable off-the-shelf surveillance may be available, but
compliancemay have to leverage internal information technology resources and get buy-in from business
units to build surveillance tools to counter the SEC. The associated costs may be significant since the
Commission’sdataanalyticsprogramiscontinuouslyevolvingandbroker-dealerswouldneedtokeeppace.
However,sincerepeatedviolationscouldleadtoincreasinglyseverefines,createtheimpressionthatthereis
a lack of institutional control at firms, personal liability, and could jeopardize firms’ reputation and client
relationships,firmmayhavelimitedchoice.
The other alternative is for compliance personnel to rely on the traditional approach, which is based on
developingstrongpoliciesandprocedures thatmatch the firm’sbusinessand the regulatoryenvironment,
anddiligentoversight.Thisapproachrequiresfrequentmonitoringandtestingoftheadequacyofbusiness
units’ compliancewithpolicesandprocedures. It also requires compliancepersonnel regularlyaskwhere
issuescouldoccur,whatcontrolsareinplacetopreventordetectproblems,andwhatresidualrisksremain
unmitigatedbysuchcontrols?
5
BrokenWindowshashelped theCommissionbecomemoreefficient inhow it implements its enforcement
program. Yet,BrokenWindowsdoesnotrepresentasubstantivechange in theCommission’senforcement
policy. SOXandDodd-Frank reiterated to compliancepersonnel the need to establish strong controls and
vigilancetoprotecttheirfirms,investors,andtheintegrityofthemarket.Responsiblecompliancepersonnel
haveheardthatmessageandapproachtheirroleswithprofessionalismandintegrity.Broker-dealersshould
continuetoprioritizeimplementingexistingregulations,monitorcontrols,andthoughtfullyconsiderwhere
violationsmayoccurwithintheirorganizations,ratherthanoverreacttotheCommission’seffortstorebrand
itselfasatoughcoponthebeat.
Recommended